Launching Tailscale Canaries – Thinkst Canary

Launching Tailscale Canaries is simple and requires the following:

Tailscale account access.
Tailscale enabled on your Console. Email support to enable it.

When a Tailscale Canary is launched it needs to join your organisation's tailnet. To do this, an auth key is needed. Tailscale offers a number of key types each covering specific use cases. The auth key needed to allow a Canary to join your organisations tailnet is a tagged auth key.

Note: the auth key must be a tagged key otherwise it'll expire and the canary will disconnect from your tailnet. This is a single-use key which allows the machine joining the tailnet to do so under a predetermined tag. The steps to setup and verify your tagged auth key as well as launch your first Tailcale Canary follow:

Configure Tailscale ACLs and create a tagged auth key

Navigate to Tailscale Access Controls and use the Visual editor or JSON editor to add ACLs that define the tag to which the Canary will be assigned.

Here is a minimal example where tag:canary is defined, where all members (with tag:corp) are allowed to access the canary and tag:canary cannot establish connections.

{
  "groups": {
    // Security team members
    "group:security": ["alice@example.com"],
  },

  // Tests ensure the ACL rules work as expected
  // and new rules don't override the original intent
  "tests": [
    {"src": "tag:canary", "deny": ["tag:corp:22"], "accept": []},
  ],

  "acls": [
    // `tag:canary` cannot establish connections.
    {"action": "accept", "src": ["tag:canary"], "dst": []},
    // Allow all members to hit canary
    {"action": "accept", "src": ["tag:corp"], "dst": ["tag:canary:*"]},
  ],

  // Defines tags and their owners
  "tagOwners": {
      // Only the security group can add this tag
    "tag:canary": ["group:security"],
    // All members have access to this tag
    "tag:corp":   ["autogroup:member"],
  },
}

On the access controls page select "Preview rules" tab and select the tag:canary. Ensure that the access granted to the tag:canary is limited.
Navigate to Settings > Keys and click on "Generate auth key...". Then toggle "Tags" on and click "Add tags" and select tag:canary.
Click "Generate key" and then "Copy" to add the key to your clipboard.

Launch Tailscale Canary

Navigate to your Console https://{your hash}.canary.tools/nest/add-canary/tailscale or navigate to the flock you want the Canary to belong to and select "+ Add Canary" in the top right of the flock modal to add a canary.
Paste the auth key and click "Launch"
A few moments later...

Your Canary will be launched into the flock of your choosing and will be present under /machines on your organisation's Tailscale dashboard.

Manually Approving Devices

If you have device approval enabled don't forget to approve your Tailscale Canary during the launch process. Internally we give a 3 minute window for the Canary to enrol in your Tailnet after which the instance will be terminated. Under the Machines tab filter for disabled:needs-approval and click the `...` option and select approve.

Search

Configure Tailscale ACLs and create a tagged auth key

Launch Tailscale Canary

Manually Approving Devices